I’ve been elbow-deep in other people’s networks for nineteen years now, and if there’s one constant it’s that the shiny toys always turn up long before the basics are nailed down.
The EDR / MDR / XDR mirage
Over the last half-decade every board slide has the same checkbox: “SOC in place – ✅”. They buy a managed-detection-whatever, park an extra £40 k a year on the OPEX line, and assume that’s “job done”. Then I rock up, plug in, fire a couple of nmap -sS sweeps and waltz around with Responder like it’s 2015—and the grand, all-seeing cyber panopticon continues scrolling Netflix in the background.
It’s embarrassing how often the first sign of “malicious activity” in the SOC console is me brute-forcing an entire /22 with Nessus because I’m running out of engagement time. Low-and-slow is overrated when no one’s looking in the first place.
IPv6: the gift that keeps on giving
Nothing warms my pentester heart like running ipconfig and seeing a fat stack of fe80: addresses. Microsoft ships IPv6 on by default, nobody audits it, and boom: mitm6 + ntlmrelayx = instant NTLM relay buffet. I’ve yet to meet an MDR platform that squeals when a rogue DHCPv6 advertises itself as the organisation’s new DNS for literally every host on the subnet. Hours later I’m still harvesting hashes while the SOC’s dashboards glow a healthy green.
Legacy sins and privilege lunacy
Add in the usual museum pieces—SMB v1 still breathing, SMB-signing “too tricky right now”, core switches that went end-of-life the week Top Gear still had Clarkson—and you’ve got a petri dish for compromise. Sprinkle a handful of reused passwords from the latest Have I Been Pwned dump and we’re basically speed-running “How to lose a network in five minutes”.
And let’s talk about privilege abuse. I love the confident “We’ve reduced Domain Admins to just our support desk and a couple of third-party contractors.” Right—exactly the people who click every shared .exe your attacker emails them. Don’t get me started on directors insisting on local-admin “for convenience”. Convenience is ransomware, Karen.
Patch the boring stuff, train the humans
Look, I get it—EDR dashboards are sexy, patch-Tuesdays aren’t. But when your Adobe Reader is three majors behind, AI heuristics won’t save you. Same with phishing: run dull quarterly tests and your click rate drops to single digits; lob in a halfway-decent GPT-4 lure about a “new leadership bonus scheme” and 90 % of staff roll out the red carpet. Credential passthrough, quick privilege escalation, game over.
Wake-up call for leadership
A stubborn slice of the workforce (and more than a few execs) still think security is someone else’s problem. Truth bomb: attackers adore org-charts. The higher the ego, the bigger the target—because seniority usually maps to access and complacency. If you run a company and you’re not personally championing least-privilege, mandatory MFA and regular tabletop drills, then congratulations: you’re the soft underbelly we’ll probe first, and so will the real criminals.
The takeaway (a.k.a. the bit to print and wave at the board)
1. SOC ≠ solved. Test it. Blind-test it. If your MDR can’t spot Responder in under five minutes, change provider or tune the thing properly.
2. Disable IPv6 or secure it. RA-Guard, DHCPv6 Guard, whatever—it’s 2025, ignorance isn’t cute.
3. Turn on SMB-signing, kill SMB v1. Yes, that ancient copier might whine—patch it or bin it.
4. Rip DA rights from humans. If a vendor “needs” domain admin, they also need a chaperone—and a daily expiry.
5. Patch everything, not just Windows. The exploit-du-jour is as happy in an old Java runtime as it is in the kernel.
6. Phish for sport. Realistic, well-crafted campaigns every quarter. Numbers stay honest; muscles stay flexed.
7. Assume compromise and rehearse. A plan practiced is a plan followed; a plan in a binder is a doorstop.
Until that happens, us pentesters—and the ransomware crews—will keep enjoying easy wins. Your move.
Wynn Jones ECSA LPT CEH CHFI OSCP CPSA CCSA CVE CCA